In cloud services environments today, the cloud service provider's host workload management software (such as a Virtual Machine Monitor (VMM) in a virtualization environment) has full control over the guest workloads (such as guest Virtual Machines) that the host workload management software manages on behalf of a consumer of cloud services. The host workload management software can read or write to guest memory, modify the control flow of software executing the guest workload, read or modify guest register state, read or modify guest control structures, such as register values, and so on. This complete control of the execution of a guest workload poses a security risk that the host workload management software is compromised and may modify the guest workload such that consumer's secrets and data residing within the guest workload are exposed.